Guidelines DPIA … for whom / for what ??

By | Wednesday May 3rd, 2017

On 4.4.2017 the WP has adopted the “Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679” the question is  why, for whom and for what. The answer is inside the document and is not a secondary matter because if we don’t considered it, we will probably don’t understand it in an appropriately manner.

The present guidelines take a consistent interpretation of the circumstances in which a DPIA is required (Art. 35 para. 3), clarify the notion and provide for the lists to be adopted by DPAs under Art. 35 para. 4. The scope of guidelines is anticipate the future EDPB’s mission according to Art. 70 para. 1-e and, therefore, to clarify the relevant provisions of the GDPR in order to help controllers to comply with the law and to provide legal certainty for controllers who are required to carry out a DPIA. These Guidelines also seek to promote the development of:

– a common European Union list of processing operations for which a DPIA is mandatory Art 35 para. 4;

– a common EU list of processing operations for which a DPIA is not necessary Article 35 para. 5;

– common criteria on the methodology for carrying out a DPIA Art. 35 para. 5;

– common criteria for specifying when the supervisory authority shall be consulted Art. 36 para. 1;

– recommendations, where possible building on the experience gained in EU Member States.

In compliance with their scope the guidelines provide for a lot of very useful data like addidtional criteria … and operations for processing DPIA or when DPIA is not necessary, how to do DPIA and which methodologies are used for carrying out a DPIA. Very important is that DPIA under the GDPR is a tool for managing risks to the rights of the data subjects. At the end the guidelines take a good notice: an international standard will also provide guidelines for methodologies used for carrying out a DPIA ISO/IEC 29134 (project), Information technology – Security techniques – Privacy impact assessment – Guidelines, International Organization for Standardization (ISO) …

Hope so… this kind of notice makes feel better!

Note: All the law articles in the present post are referred to Reg. Ue 2016/679

Category: Impact, Risk and Measures Legal framework Tags: , , , , , , ,

About laura.marretta

Avv. Laura Marretta Dopo aver conseguito la Maturità Classica presso l’Istituto Marcelline di Milano e la Laurea in Giurisprudenza presso l’Univeristà Cattolica del Sacro Cuore diventa Avvocato del Foro di Milano ed è Partner dello Studio Legale Internazionale Romolotti Marretta dal 2006. Svolge la propria attività professionale con particolare riferimento ai settori della Privacy e Data Security, Tutela del Segreto Industriale, Diritto della Moda, Energy, e Sistemi di Organizzazione Aziendale (normative UNI CEI ed ISO) nonché in ambito di Certificazioni e Marcatura CE. Svolge il ruolo di DPO presso enti associativi di rilevanza nazionale nonché per conto di società del settore industriale e dei servizi. E’ relatrice presso corsi e convegni sul territorio nazionale, con specifico riferimento ai settori della privacy e della video security. Collabora in pubblicazioni nazionali ed internazionali ( tra le quali numerose edizioni annuali di Doing Business edito dalla World Bank Maturità Classica at Istituto Marcelline of Milan, Graduated in Law at Univeristà Cattolica del Sacro Cuore, Attorney at Law of the Milan Bar, is a Partner of Romolotti Marretta International Law Firm since 2006. Her professional activity is focused on Privacy and Data Security, Trade Secret Protection, Fashion Law, Energy Law, Enterprise Organization (UNI CEI and ISO standards), Certification and CE mark. She is DPO in associations at national level and companies of the industrial and services areas. Speaker at seminars and conferences with specific reference to privacy and videosecurity law, she is a contributor in national and international publications, included several editions of Doing Business edited by World Bank (

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.